Data protection declaration

The present data protection declaration informs you about the means, the scope and the purpose of processing personal data (simply referred to as “data” in the following) when using our online offer and the websites, functions and content connected to it as well as our external online presence, such as our social media profiles (simply referred to as “online offer” in the following). As for the use of certain terms, such as “personal data” or the “processing” thereof, please refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Data protection officer:

Mandatory data protection officer

We have appointed a data protection officer for our company.

Arndt Rieger
ORA IT-Systeme GmbH
Fritz-Müller-Straße 144
73730 Esslingen a. N.

Telephone: +49 711 901266-00

Kinds of data processed by us:

  • contact data
  • content data
  • usage data
  • meta and communication data

Processing of special categories of personal data (Art. 9 Par. 1 GDPR):

No special categories of personal data are processed.

Categories of people affected by data processing:

  • Customers / interested parties / suppliers.
  • Visitors and users of the online offer.

In the following the people concerned will be referred to as „users“.

Purpose of processing:

  • Making available the online offer, its contents and functions.
  • Replying to contact requests and communication with users.
  • Marketing, advertising, and market research.

Changing and updating the data protection declaration

We ask you to regularly check the content of our data protection declaration. We update our data protection declaration whenever changes in our data processing require us to do so. We will inform you whenever these changes require some action on your part (for example consent) or if another individual notification is required.

Safety measures

  1. As regulated in Art. 32 GDPR we shall take the appropriate technical and organizational measures to provide a safety level proportional to the risks, taking into account the state of technology, cost of implementation, the manner, scope, circumstances and purpose of data processing as well as the different likelihoods and degrees of risk to the rights and freedom of natural persons; among these measures are specifically the control of physical access to the data, as well as its access, input, dissemination, availability and separation in order to ensure privacy, integrity and availability of the data. We have also implemented a process that guarantees user’s rights, the deletion of data and a reaction in the case of danger to the data. Furthermore, we take the protection of personal data into account during the development or selection of hardware, software as well as processes that include the principle of data protection through the design of technology as well as privacy-protecting default settings (Art. 25 GDPR).
  2. One of the specific safety measures is the encrypted data transfer between your browser and our server.

Cooperation with subcontractors and third parties

  1. If in the course of our data processing we disclose, send or grant access to data to other persons or companies (subcontractors or third parties), we will do this only on a sound legal basis (for example, when the transfer of data to a third party, such as a financial service provider, is necessary to fulfilling contractual obligations according to Art. 6 Par. 1(b) GDPR), when consent has been obtained, if it is a legal obligation, or on the basis of pursuing our legitimate interests (for example when using a representative, web hosting, etc.).
  2. If we entrust third parties with data processing on the basis of a so-called “processing contract”, this shall be in accordance with Art. 28 GDPR.

Transfers of data to third countries

In case of processing data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)) or when this processing happens in the course of services from a third party or when data is disclosed or transferred to third parties, this shall only happen as part of fulfilling our (pre)contractual obligations, on the basis of consent, on the basis of a legal obligation or in the pursuit of our legitimate interests. Unless there is legal or contractual allowance, we shall only process data or have data processed in a third country in accordance with the specific conditions established in Art. 44 ff. DGPR. That is to say that processing is carried out on the basis of special guarantees, such as the official recognition of a data protection level similar to that of the EU (in the US, for example, via the “privacy shield”) or on the basis of officially recognized special contractual obligations (known as “standard contractual clauses”).

Rights of the data subjects

  1. You have the right to demand confirmation that data concerning you is being processed, as well as to demand information about the data, further information and copies of the data according to Art. 15 GDPR.
  2. In accordance with Art. 16 GDPR you have the right to demand the completion of incomplete personal data as well as the rectification of inaccurate personal data.
  3. You have the right to demand the immediate erasure of personal data according to Art. 17 GDPR or, alternatively, to demand restrictions in the processing of the data according to Art. 18 GDPR.
  4. You have the right to receive the data you have provided us with and to demand its transfer to another controller according to Art. 20 GDPR.
  5. In accordance with Art. 77 GDPR you have the right to lodge a complaint with a supervisory authority.

Right of withdrawal

In accordance with Art. 7 Par. 3 GDPR you have the right to withdraw consent to any future processing of your personal data.

Right to object

In accordance with Art. 21 GDPR you can at any time object to the future processing of your personal data. This objection may specifically be against the data being processed for direct marketing purposes.

Cookies and the right to object in case of direct marketing

We use temporary and permanent cookies, i.e. small data files stored on the users internet device (for an explanation of the term and function, please refer to the last section of this data protection declaration). In part these cookies are necessary to the safety and the operation of our online offer (for displaying a website, for example) or to store the user decision when confirming the cookie banner. We and our technology partners also use cookies for reach measurement and marketing purposes, about which the user will be informed within the course of this data protection statement.

A general objection to the use of cookies for purposes of online marketing may be made with a variety of services, especially in case of tracking, with the US website or the EU website Furthermore the storage of cookies can be deactivated in the browser settings. Please note that in that case some of the functions of the online offer may not be available.

Erasure of data

  1. Data processed by us is subject to erasure or limitations in processing in accordance with Art. 17 and 18 GDPR. Unless otherwise specified in this data protection declaration, data stored with us is erased when it is no longer needed to fulfill its purpose and erasure is not prevented by legal statutes. Should the data not be erased because it is required for legal purposes, its use will be limited. That means the data will be blocked and not used for other purposes. This applies to data that must be stored for commercial accounting or tax reasons, for example.
  2. According to legal requirements storage is mandatory for 6 years according to Art. 257 Par. 1 HGB (bookkeeping, inventory, opening balances, annual financial statements, commercial correspondence, accounting records, etc.) as well as for 10 years according to Art. 147 Par. 1 AO (books, records, reports, accounting records, commercial correspondence, tax-related documents, etc.).

First contact

  1. On first contact with us (via contact form or email) the user data will be used for the processing and reply to the inquiry according to Art. 6 Par. 1(b) GDPR.
  2. User data may be stored in our Customer Relationship Management System (“CRM System”) or similar data base.

Collection of access data and log files

  1. On the basis of pursuing our legitimate interests according to Par. 6 Art. 1(f) GDPR we collect data about every access to the server which hosts our services (so-called server log files). The access data includes the name of the website visited, file, date and time of access, data volume transferred, successful access confirmation, browser type and version, the OS of the user, referrer URL (the site visited just before), IP-address and the connecting internet provider.
  2. Log file information is stored for a maximum of seven days for security reasons (for example for the investigation of misuse or fraud) and then deleted. Data which needs to be stored further as evidence, is exempt from deletion until the clarification of the particular incident.

Cookies & reach measurement

  1. Cookies are information that is transferred from our webserver or third party webservers to the user’s web-browser and stored there for later recall. Cookies can be small files or other forms of data storage. Users are informed in the course of this data protection statement about the use of cookies for pseudonymous reach measurement. If users don’t want cookies to be stored on their devices, they are asked to deactivate this function in their browser menu. Stored cookies can be deleted in the settings menu of the browser. The exclusion of cookies may lead to a restricted functioning of the online offer.
  2. You may object to the use of cookies for reach measurement and advertising purposes via the deactivation page of the network advertising initiative ( as well as the US website ( or the European website (


  1. In the following notes we would like to inform you about the content of our newsletter as well as the registration, distribution and statistical evaluation process thereof as well as your right to objection. By registering for our newsletter you consent to receiving it as well as to the described processes.
  2. Content of the newsletter: We send newsletters, emails and other electronic messages containing advertising information (“newsletter” in the following) only with the consent of the recipient or with legal allowance. As long as the content of the newsletter is clearly described during the registration process, the user’s consent becomes binding. Our newsletters contain information about our latest projects, product news as well as events and company news concerning Holzmedia GmbH.
  3. Double-Opt-In and records: Registration for our newsletter uses a so-called double-opt-in process. That means that after registering you receive an email asking you to confirm your registration. This confirmation is necessary to avoid people registering using fake or stolen emails. Registrations for the newsletter are recorded in order to be able to prove the registration in accordance with legal requirements. This includes recording the registration and confirmation time as well as the IP address. Changes in your data with the distributor will also be recorded.
  4. Distributor: Distribution of the newsletter is handled by “MailChimp”, a newsletter distribution platform of the US service provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. You can access the data protection plan of the distributor here: The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield agreement and thus offers a guarantee of fulfilling European data protection requirements (
  5. Furthermore the distributor informs that he is able to use the data in pseudonymous form, i.e. without being linked to specific users, in order to improve and optimize his own service, for example for technical optimization of distribution or for the display of the newsletter or for statistical reasons, such as to study from which countries the recipients are. The distributor will not use the data to contact the recipients of the newsletter, nor will he make this data available to third parties.
  6. Registration data: To register for the newsletter you only need to indicate your email address.
  7. Performance assessment: The newsletter contain a so-called “web-beacon”, i.e. a pixel-sized file, which is retrieved by the server of the distributor when the newsletter is opened. In the course of this retrieval some technical information is collected, such as information about your browser and system, your IP address and the time of access. This information is used for the technical improvement of the service based on technological data or data of target groups and their reading habits based on location of log-in (which can be determined via the IP-address) or the time of log-in. Another part of the technical information indicates whether the newsletters are opened, when they are opened and what links have been clicked on. This information technically could be traced to specific users. But it is neither our aim, nor that of the distributor, to observe individual users. Instead, the assessment is used to learn about the reading habits of the users and to adapt our content to them or to send different content based on the interests of the users.
  8. The distribution of the newsletter and the performance assessment happen on the basis of consent by the user in accordance with Art. 6 Par. 1(a) GDPR, Art. 7 GDPR together with Art. 7 Par. 2(3) UWG, or on the basis of legal allowance according to Art. 7 Par. 3 UWG.
  9. The recording of the registration process takes place on the basis of us pursuing our legitimate interests according to Art. 6 Par. 1(f) GDPR and serves as proof of consent to receiving the newsletter.
  10. Cancelation/withdrawal: You can cancel the subscription to our newsletter at any time, i.e. withdraw your consent. You will find a link for cancellation at the end of each newsletter. If users have only registered for the newsletter and then cancel the subscription, their personal data will be erased.

Social media

  1. Content-sharing using plugins (Facebook, Google+1, Twitter & Co.): The content of our webpages can be shared in social media like Facebook, Twitter or Google+ compliant with data protection laws. In order to do so this site uses the eRecht24 Safe Sharing Tool. This tool establishes direct contact between networks and users only when the user actively clicks on one of these buttons. The tool does not automatically transfer user data to the operators of such platforms. If the user is registered with one of the above social networks, the use of the social button in Facebook, Google+ 1, Twitter & co. causes an information window to open, in which the user can confirm the text before sending. Our users can share the contents of the site in social networks in a manner compliant with data protection regulation, without the operators of the networks creating complete web-surfing profiles.
  2. Facebook-plugins (like & share-button): Our webpages incorporate plugins from the social network Facebook, provider is Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA. You can recognize the Facebook on our webpages by the Facebook-logo or the “like-button”. Please find more information about Facebook plugins here: When visiting our webpages, the plugin establishes a direct connection between your browser and the Facebook server. Facebook thus receives the information that you with your IP-address have visited our site. If you click the Facebook “like-button” while logged in to your Facebook account, Facebook can link the content of our pages to your Facebook profile. In this case Facebook can associate the visit to our webpage with your Facebook user account. We would like to point out that as provider of webpages we have no knowledge of the content of transferred data nor do we know how it is used by Facebook. Please find more information about that in Facebook’ data protection statement at: If you don’t wish Facebook to be able to associate your visit to our website to your Facebook user account, please make sure you are logged out of your Facebook account before visiting our website.

Integration of third party services and content

  1. On the basis of our pursuit of our legitimate interests (i.e. an interest in analyzing, optimizing and the economical operating of our online offer in accordance with Par. 6 Art. 1(f) GDPR) we use content and service offers from third parties, in order to integrate their content, such as videos or fonts (referred to as “content” in the following). This requires the third party providers to see the IP-address of the user, as without the IP-address they would not be able to send their content to the user’s browser. In other words, the IP-address is necessary to the displaying of these contents. It is our aim to use only content whose providers use the IP-address solely for the purpose of delivering their content. Third party providers can also use so-called “pixel-tags” (invisible graphic elements, also known as “web beacons”) for statistical or marketing purposes. These pixel-tags can be used to collect information, such as visitor traffic on the website. The pseudonymous information may also be stored in cookies on the user’s device and may contain information about, among others, the browser and the operating system, referring URLs, time of visit and further information regarding the use of our online offer, and it may be linked to similar information from other sources.
  2. UOur online offer uses Mapbox Tiles to display interactive maps. The Mapbox Tiles API is a map service from Mapbox Inc. (Mapbox). Through the use of the Mapbox Tiles API information about the use of the website including your IP-address may be transmitted to Mapbox in the USA. When you open a page that contains Mapbox Tiles maps, your browser establishes a direct connection with the servers of Mapbox. The map content is sent directly from the Mapbox servers to your browser, which incorporates it into the webpage. Thus we have no influence on the amount of data that is collected this way by Mapbox. If you don’t want Mapbox to collect, process and use information about you through our online offer, you can deactivate JavaScript in your browser settings. In this case you cannot use the maps, however. Please find further information about the purpose and scope of data collection by Mapbox, your rights as well as possible settings to protect your privacy in the data protection declaration of Mapbox at: There you will find, among others, that Mapbox records the IP-address of the visitor, the URL of the site visited as well as date and time of the visit. According to Mapbox, this information is used solely for diagnosis and analysis purposes in order to improve the services provided. Mapbox does not make personal data available to third parties. You also have the possibility to avoid Mapbox cookies by deactivating third party cookies in your browser settings.
  3. We use Adobe Typekit for the visual design of our online offer. Typekit is a service from Adobe Systems Software Ireland Ltd., which allows us access to a font library. To include the fonts used by us your browser needs to establish a connection to an Adobe server in the USA and download the font needed for our website. Adobe thus receives the information that your IP-address has opened our website. Please find further information about Adobe Typekit in the data protection statement of Adobe at:
  4. We use Monotype MyFonts for the visual design of our online offer. MyFonts is a service from Monotype Imaging Holdings Inc., which allows us access to a font library. To include the fonts used by us your browser needs to establish a connection to a Monotype server in the USA and download the font needed for our website. Monotype thus receives the information that your IP-address has opened our website. Please find further information about Monotype MyFonts in the data protection statement of Monotype at:
  5. Our online offer uses plugins from the video portal Vimeo, provided by Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA. When you visit one of our webpages that includes a Vimeo plugin, a connection is established with the Vimeo servers. Vimeo will be informed about which of our webpages you have visited. Also Vimeo will know your IP-address. This is also true if you are not logged in at Vimeo or don’t have an account with Vimeo. The information collected by Vimeo will be transferred to the Vimeo server in the USA. If you are logged in to your Vimeo account, you allow Vimeo to associate your browsing activity with your personal user profile. You can avoid this by logging out of your Vimeo account before visiting our webpage. Please find further information about the handling of user data in Vimeo’s data protection statement at